Ticket #46 (closed note: worksforme)

Opened 3 months ago

Last modified 3 weeks ago

Edit authetication

Reported by: rselzler Owned by: sheep
Priority: Normal Milestone:
Component: Hatta Wiki Version: unknown
Keywords: Cc:

Description

I need to authenticate authors, when they click 'Edit',
because spam-bots are now getting into the Wiki.

I've spent 3+ long days trying to get Apache 2 configured.
Authentication works, if required for any and all Wiki access,
but I can't limit the login request to the first Edit attempt.
It either always triggers or never triggers.

Help would be greatly appreciated by this newbie.

I'm attempting to use .htaccess and RewriteRule and RewriteCond
directives to trigger authentication when the URI begins with "+edit".
Is this a reasonable approach ?

I'm using a DreamHost PS (private server) now,
so I can tinker with the Apache config if required.

Thanks in advance

  • Randy

Change History

comment:1 Changed 3 months ago by sheep

Just to test your problems, I experimentally set an edit password for the hatta wiki at  http://oink.sheep.art.pl. It took me about 10 minutes, I did the following:

Edited the apache configuration and added this to the wiki's vhost:

WSGIPassAuthorization On

<LocationMatch  "^/([+]|%2b|%2B)(edit|save|undo)($|/)">
AuthType Basic
AuthName "Oink Wiki"
AuthUserFile /etc/apache2/oink.htpasswd
Require valid-user
</LocationMatch>

Then I ran a command to create the htpasswd file (the password is "bee"):

# htpasswd -c /etc/apache2/oink.htpasswd sheep
New password: 
Re-type new password: 
Adding password for user sheep

Then I reloaded the apache configuration:

# /etc/init.d/apache2 reload
Reloading web server config: apache2.

Then I went to the wiki and tried to edit it. It asked me properly for password. I went to another page and tried to edit it -- it didn't ask me for password anymore.

I can't really help more, maybe you could paste the relevant part of your apache configuration?

comment:2 Changed 3 months ago by sheep

Note that WSGIPassAuthorization On is only needed if you want Hatta to automatically fill the author name in the edit form.

comment:3 Changed 3 months ago by rselzler

Many Thanks...
I try to be self supporting, but I was over my head here and needed help.

Now I'm getting a redirect loop, when I hit the 'Edit' button for a page.
I'll continue to work on it, based upon your suggestions above.

FYI, here are some configuration details.
Your keen eyes may spot the problem before my trial-n-error hacks.

I'm using a hacked version of Hatta, dev from 28 Apr.

bash$ pwd
/home/rselzler2/www/s.pseis.org
bash$ ls -ld cache/ dev.py dispatch.fcgi docs/ hatta.conf hatta.py index.fcgi
drwxrwsr-x  2 rselzler2 pg2258840 4096 2010-06-18 07:23 cache//
lrwxrwxrwx  1 rselzler2 pg2258840   29 2010-06-18 11:31 dev.py -> ../../HATTA/hatta-prod/dev.py*
-rwxrwxr-x  1 rselzler2 pg2258840  346 2010-06-18 11:48 dispatch.fcgi*
drwxrwsr-x 11 rselzler2 pg2258840 4096 2010-06-18 07:23 docs//
-rw-rw-r--  1 rselzler2 pg2258840  218 2010-06-18 11:49 hatta.conf
lrwxrwxrwx  1 rselzler2 pg2258840   31 2010-06-18 11:31 hatta.py -> ../../HATTA/hatta-prod/hatta.py*
-rwxrwxr-x  1 rselzler2 pg2258840  699 2010-06-18 11:49 index.fcgi*
bash$

########################################################################

bash$ cat dispatch.fcgi
#!/home/rselzler2/local/bin/python
# -*- coding: utf-8 -*-

import sys, os
from flup.server.fcgi import WSGIServer

sys.path.insert(0, "/home/rselzler2/HATTA/hatta-prod/")
import hatta

config = hatta.WikiConfig(
)
config.parse_args()
config.parse_files()
config.sanitize()
wiki = hatta.Wiki(config)
app = wiki.application

WSGIServer(app).run()
bash$

########################################################################3

bash$ cat hatta.conf
[Hatta]
site_name = Stage PSEIS OSS
hgweb = True

menu_page = Menu
front_page = Home
style_page = style.css
logo_page = wiki/icons/pseis_logo_h78.png
locked_page = Locked

interface = s.pseis.org
subdirectories = True
bash$

##########################################################################

bash$ cat index.fcgi
#!/home/rselzler/local/bin/python
# -*- coding: utf-8 -*-

import cgitb
cgitb.enable()

import sys, os
from flup.server.fcgi import WSGIServer

sys.path.insert(0, "/home/rselzler2/local/lib/python2.5/site-packages/Werkzeug-0.6-py2.5.egg")
sys.path.insert(0, "/home/rselzler2/HATTA/hatta-prod/")
import hatta

config = hatta.WikiConfig(
pages_path='/home/rselzler2/www/s.pseis.org/docs/', # XXX Edit this!
cache_path='/home/rselzler2/www/s.pseis.org/cache/', # XXX Edit this!
interface='s.pseis.org'
)
config.parse_args()
config.parse_files()
config.sanitize()
wiki = hatta.Wiki(config)

def app(env, start):
    env['SCRIPT_NAME'] = ''
    return wiki.application(env, start)

WSGIServer(app).run()

#####################################################################

Apache config, lots of DreamHost boilerplate...

cut-n-paste for this particular virtual host only...

My changes are at the bottom

## s.pseis.org : dsid 14133231, type http (cgi)

<VirtualHost 69.163.210.198:80>
ServerAdmin webmaster@s.pseis.org
DocumentRoot /home/rselzler2/www/s.pseis.org
ServerName www.s.pseis.org
ServerAlias s.pseis.org
DirectoryIndex index.html index.shtml index.htm Index.html Index.htm Index.shtml default.htm Default.htm default.html Default.html default.shtml Default.shtml page1.html index.pl index.cgi index.php index.php3 index.phtml home.htm home.html home.shtml index.wml index.pcgi
ErrorLog /home/rselzler2/logs/s.pseis.org/http.14133231/error.log
Alias /stats /home/rselzler2/logs/s.pseis.org/http.14133231/html
<Directory /home/rselzler2/logs/s.pseis.org/http.14133231/html>
AllowOverride AuthConfig FileInfo Indexes Limit Options=ExecCGI,Includes,Indexes,MultiViews,SymlinksIfOwnerMatch,FollowSymlinks
</Directory>
Alias /doc/analog /usr/share/analog
RewriteEngine on
RewriteRule   ^/dh_phpmyadmin/([^/]*)/?(.*)    /dh/web/phpmyadmin/$2
SuexecUserGroup rselzler2 #596330
<Directory /home/rselzler2>
AllowOverride AuthConfig FileInfo Indexes Limit Options=ExecCGI,Includes,Indexes,MultiViews,SymlinksIfOwnerMatch,FollowSymlinks
</Directory>
<Directory /home/rselzler2/www/s.pseis.org>
AddHandler cgi-script .cgi .pl .py
Options Includes Indexes SymLinksIfOwnerMatch ExecCGI
AddHandler php-cgi .php4 .pcgi4
AddHandler php5-cgi .php .php3 .phtml .pcgi .php5 .pcgi5
<Files *.php.*>
  RemoveHandler .php
</Files>
<Files *.php4.*>
  RemoveHandler .php4
</Files>
<Files *.php5.*>
  RemoveHandler .php5
</Files>
<IfModule mod_fcgid.c>
  AddHandler fcgid-script fcg fcgi fpl
  AddHandler fcgid-script .php .phtml .php5 .pcgi5
  FCGIWrapper /dh/cgi-system/php5.cgi .php
  FCGIWrapper /dh/cgi-system/php5.cgi .phtml
  FCGIWrapper /dh/cgi-system/php5.cgi .pcgi
  FCGIWrapper /dh/cgi-system/php5.cgi .php5
  FCGIWrapper /dh/cgi-system/php5.cgi .pcgi5
</IfModule>
<IfModule mod_limitipconn.c>
  MaxConnPerIP 40
</IfModule>
</Directory>
# php_myadmin doesn't work with php-cgi for some reason.
<Directory /dh/web/phpmyadmin>
  EnableSendfile Off
  EnableMMAP Off
<IfModule mod_security.c>
  SecFilterEngine Off
</IfModule>
<IfModule mod_security2.c>
  SecRuleEngine Off
</IfModule>
  AddHandler php5-cgi .php .php3 .phtml .pcgi .php5 .pcgi5
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]
</IfModule>
<IfModule sapi_apache2.c>
    php_value register_globals On
</IfModule>
</Directory>
<Directory /dh/solidclient>
  AddHandler php5-script .php .php5
  <Files domaindb>
    Deny from all
  </Files>
</Directory>
<IfModule mod_security.c>
  SecFilterEngine On
</IfModule>
<IfModule mod_security2.c>
  SecRuleEngine On
</IfModule>
<IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/html text/plain text/xml
        DeflateMemLevel 5
        DeflateCompressionLevel 5
</IfModule>
# type specifics
# php
AddType application/x-httpd-php .php .php4 .php3 .phtml
<IfModule sapi_apache2.c>
  php_admin_value open_basedir /dh/web/phpmyadmin:/tmp:/dh/solidclient:/usr/local/lib/php:/home/rselzler2:/home/rselzler2
</IfModule>
Action php-cgi /cgi-system/php.cgi
Action php5-cgi /cgi-system/php5.cgi
# for solidclient crapola
Alias /solidclient /dh/solidclient
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_COOKIE} _wp_debugger=(.*) [NC]
RewriteRule ^(.*)$ - [E=_wp_debugger:%1,F]
</IfModule>
SetEnv dsid 14133231
SetEnv ds_id_14133231
SetEnv DH_USER rselzler2
CustomLog /home/rselzler2/logs/s.pseis.org/http.14133231/access.log "%h %l %u %t \"%r\" %s %O \"%{Referer}i\" \"%{User-agent}i\" "
SetEnvIfNoCase Request_URI "\/(paypal|bankofamerica|bofa|ebay|wellsfargo)\.com\/" phishy=yes
CustomLog /dh/apache2/logs/pirated_files "%v %{dsid}e %s %h %f%q" env=pirated
CustomLog /dh/apache2/logs/wp_debugger_hack "%v %{dsid}e %s %h %{_wp_debugger}e" env=_wp_debugger
CustomLog /dh/apache2/logs/phish_log "%v %{dsid}e %s %h %r" env=phishy
AllowEncodedSlashes On
<LocationMatch  "^/([+]|%2b|%2B)(edit|save|undo)($|/)">
AuthType Basic
AuthName "Oink Wiki"
#AuthUserFile /etc/apache2/oink.htpasswd
AuthUserFile /home/rselzler2/www/.htpasswd
Require valid-user
</LocationMatch>
</VirtualHost>
  • Randy

I forgot to list the .htaccess file that is probably relevant.
It's been needed for many months now, for Hatta on DreamHost.

bash$ cat .htaccess 
RewriteEngine on
RewriteRule ^index.fcgi - [L]

RewriteRule (.*) index.fcgi/$1 [L]
bash$
Last edited 3 months ago by rselzler (previous) (diff)

comment:4 Changed 3 months ago by sheep

I'm pretty sure the redirect loop is not caused by the auth config. Are you sure it doesn't happen without it?

Can you try to run this command and paste the result (with passwords removed):

# wget -S 'http://youruser:yourpassword@the_address_of_the_wiki/+edit/Home'

comment:5 Changed 3 months ago by rselzler

bash$ wget -S  http://rselzler2:xxxxx@s.pseis.org/+edit/TODO
--2010-06-18 14:23:51--  http://rselzler2:*password*@s.pseis.org/+edit/TODO
Resolving s.pseis.org... 69.163.210.198
Connecting to s.pseis.org|69.163.210.198|:80... connected.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:51--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:51--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:51--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:51--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:51--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=86
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:30 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=84
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:31 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=83
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:31 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=82
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:31 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=81
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
--2010-06-18 14:23:52--  http://s.pseis.org/+edit/failed_auth.html
Reusing existing connection to s.pseis.org:80.
HTTP request sent, awaiting response...

HTTP/1.1 303 SEE OTHER
Date: Fri, 18 Jun 2010 19:23:31 GMT
Server: Apache
WWW-Authenticate: Basic realm="Oink Wiki"
Location:  http://s.pseis.org/+edit/failed_auth.html
Content-Length: 289
Vary: Accept-Encoding
Keep-Alive: timeout=2, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Location:  http://s.pseis.org/+edit/failed_auth.html [following]
20 redirections exceeded.
bash$

comment:6 Changed 3 months ago by rselzler

Almost forget,

I commented out the LocationMatch section.
Edit brought up the edit form as expected,
without any redirect loop error.

  • Randy

comment:7 Changed 3 months ago by rselzler

Here is some RewriteLog level 2

72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#119d418/initial] (2) init rewrite engine with requested uri /+edit/Home
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#119d418/initial] (1) pass through /+edit/Home
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a2438/subreq] (2) init rewrite engine with requested uri /+edit/Home
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a2438/subreq] (1) pass through /+edit/Home
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b2438/initial/redir#1] (2) init rewrite engine with requested uri /failed_auth.html
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b2438/initial/redir#1] (1) pass through /failed_auth.html
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b2438/initial/redir#1] (2) [perdir /home/rselzler2/www/s.pseis.org/] rewrite 'failed_auth.html' -> 'index.fcgi/failed_auth.html'
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b2438/initial/redir#1] (2) [perdir /home/rselzler2/www/s.pseis.org/] trying to replace prefix /home/rselzler2/www/s.pseis.org/ with /
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b2438/initial/redir#1] (1) [perdir /home/rselzler2/www/s.pseis.org/] internal redirect with /index.fcgi/failed_auth.html [INTERNAL REDIRECT]
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#1193f30/initial/redir#2] (2) init rewrite engine with requested uri /index.fcgi/failed_auth.html
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#1193f30/initial/redir#2] (1) pass through /index.fcgi/failed_auth.html
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#1193f30/initial/redir#2] (1) [perdir /home/rselzler2/www/s.pseis.org/] pass through /home/rselzler2/www/s.pseis.org/index.fcgi
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11953d8/subreq] (2) init rewrite engine with requested uri /failed_auth.html
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11953d8/subreq] (1) pass through /failed_auth.html
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11953d8/subreq] (2) [perdir /home/rselzler2/www/s.pseis.org/] rewrite 'failed_auth.html' -> 'index.fcgi/failed_auth.html'
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11953d8/subreq] (2) [perdir /home/rselzler2/www/s.pseis.org/] trying to replace prefix /home/rselzler2/www/s.pseis.org/ with /
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11953d8/subreq] (1) [perdir /home/rselzler2/www/s.pseis.org/] internal redirect with /index.fcgi/failed_auth.html [INTERNAL REDIRECT]
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b44c8/initial] (2) init rewrite engine with requested uri /+download/pygments.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b44c8/initial] (1) pass through /+download/pygments.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11bc4f8/subreq] (2) init rewrite engine with requested uri /+download/pygments.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11bc4f8/subreq] (1) pass through /+download/pygments.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11bc4f8/subreq] (2) [perdir /home/rselzler2/www/s.pseis.org/] rewrite '+download/pygments.css' -> 'index.fcgi/+download/pygments.css'
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11bc4f8/subreq] (2) [perdir /home/rselzler2/www/s.pseis.org/] trying to replace prefix /home/rselzler2/www/s.pseis.org/ with /
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11bc4f8/subreq] (1) [perdir /home/rselzler2/www/s.pseis.org/] internal redirect with /index.fcgi/+download/pygments.css [INTERNAL REDIRECT]
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b44c8/initial] (2) [perdir /home/rselzler2/www/s.pseis.org/] rewrite '+download/pygments.css' -> 'index.fcgi/+download/pygments.css'
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b44c8/initial] (2) [perdir /home/rselzler2/www/s.pseis.org/] trying to replace prefix /home/rselzler2/www/s.pseis.org/ with /
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b44c8/initial] (1) [perdir /home/rselzler2/www/s.pseis.org/] internal redirect with /index.fcgi/+download/pygments.css [INTERNAL REDIRECT]
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a5590/initial/redir#1] (2) init rewrite engine with requested uri /index.fcgi/+download/pygments.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a5590/initial/redir#1] (1) pass through /index.fcgi/+download/pygments.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a5590/initial/redir#1] (1) [perdir /home/rselzler2/www/s.pseis.org/] pass through /home/rselzler2/www/s.pseis.org/index.fcgi
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#119b408/subreq] (2) init rewrite engine with requested uri /+download/pygments.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#119b408/subreq] (1) pass through /+download/pygments.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#119b408/subreq] (2) [perdir /home/rselzler2/www/s.pseis.org/] rewrite '+download/pygments.css' -> 'index.fcgi/+download/pygments.css'
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#119b408/subreq] (2) [perdir /home/rselzler2/www/s.pseis.org/] trying to replace prefix /home/rselzler2/www/s.pseis.org/ with /
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#119b408/subreq] (1) [perdir /home/rselzler2/www/s.pseis.org/] internal redirect with /index.fcgi/+download/pygments.css [INTERNAL REDIRECT]
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11973e8/initial] (2) init rewrite engine with requested uri /+download/style.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11973e8/initial] (1) pass through /+download/style.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b24b8/subreq] (2) init rewrite engine with requested uri /+download/style.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b24b8/subreq] (1) pass through /+download/style.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b24b8/subreq] (2) [perdir /home/rselzler2/www/s.pseis.org/] rewrite '+download/style.css' -> 'index.fcgi/+download/style.css'
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b24b8/subreq] (2) [perdir /home/rselzler2/www/s.pseis.org/] trying to replace prefix /home/rselzler2/www/s.pseis.org/ with /
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b24b8/subreq] (1) [perdir /home/rselzler2/www/s.pseis.org/] internal redirect with /index.fcgi/+download/style.css [INTERNAL REDIRECT]
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11973e8/initial] (2) [perdir /home/rselzler2/www/s.pseis.org/] rewrite '+download/style.css' -> 'index.fcgi/+download/style.css'
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11973e8/initial] (2) [perdir /home/rselzler2/www/s.pseis.org/] trying to replace prefix /home/rselzler2/www/s.pseis.org/ with /
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11973e8/initial] (1) [perdir /home/rselzler2/www/s.pseis.org/] internal redirect with /index.fcgi/+download/style.css [INTERNAL REDIRECT]
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b15c8/initial/redir#1] (2) init rewrite engine with requested uri /index.fcgi/+download/style.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b15c8/initial/redir#1] (1) pass through /index.fcgi/+download/style.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b15c8/initial/redir#1] (1) [perdir /home/rselzler2/www/s.pseis.org/] pass through /home/rselzler2/www/s.pseis.org/index.fcgi
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a2438/subreq] (2) init rewrite engine with requested uri /+download/style.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a2438/subreq] (1) pass through /+download/style.css
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a2438/subreq] (2) [perdir /home/rselzler2/www/s.pseis.org/] rewrite '+download/style.css' -> 'index.fcgi/+download/style.css'
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a2438/subreq] (2) [perdir /home/rselzler2/www/s.pseis.org/] trying to replace prefix /home/rselzler2/www/s.pseis.org/ with /
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a2438/subreq] (1) [perdir /home/rselzler2/www/s.pseis.org/] internal redirect with /index.fcgi/+download/style.css [INTERNAL REDIRECT]
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11933c8/initial] (2) init rewrite engine with requested uri /+download/scripts.js
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11933c8/initial] (1) pass through /+download/scripts.js
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a2438/subreq] (2) init rewrite engine with requested uri /+download/scripts.js
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a2438/subreq] (1) pass through /+download/scripts.js
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a2438/subreq] (2) [perdir /home/rselzler2/www/s.pseis.org/] rewrite '+download/scripts.js' -> 'index.fcgi/+download/scripts.js'
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a2438/subreq] (2) [perdir /home/rselzler2/www/s.pseis.org/] trying to replace prefix /home/rselzler2/www/s.pseis.org/ with /
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11a2438/subreq] (1) [perdir /home/rselzler2/www/s.pseis.org/] internal redirect with /index.fcgi/+download/scripts.js [INTERNAL REDIRECT]
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11933c8/initial] (2) [perdir /home/rselzler2/www/s.pseis.org/] rewrite '+download/scripts.js' -> 'index.fcgi/+download/scripts.js'
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11933c8/initial] (2) [perdir /home/rselzler2/www/s.pseis.org/] trying to replace prefix /home/rselzler2/www/s.pseis.org/ with /
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11933c8/initial] (1) [perdir /home/rselzler2/www/s.pseis.org/] internal redirect with /index.fcgi/+download/scripts.js [INTERNAL REDIRECT]
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#119e550/initial/redir#1] (2) init rewrite engine with requested uri /index.fcgi/+download/scripts.js
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#119e550/initial/redir#1] (1) pass through /index.fcgi/+download/scripts.js
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#119e550/initial/redir#1] (1) [perdir /home/rselzler2/www/s.pseis.org/] pass through /home/rselzler2/www/s.pseis.org/index.fcgi
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b24b8/subreq] (2) init rewrite engine with requested uri /+download/scripts.js
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b24b8/subreq] (1) pass through /+download/scripts.js
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b24b8/subreq] (2) [perdir /home/rselzler2/www/s.pseis.org/] rewrite '+download/scripts.js' -> 'index.fcgi/+download/scripts.js'
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b24b8/subreq] (2) [perdir /home/rselzler2/www/s.pseis.org/] trying to replace prefix /home/rselzler2/www/s.pseis.org/ with /
72.192.119.192 - - [18/Jun/2010:19:36:16 --0700] [s.pseis.org/sid#e68568][rid#11b24b8/subreq] (1) [perdir /home/rselzler2/www/s.pseis.org/] internal redirect with /index.fcgi/+download/scripts.js [INTERNAL REDIRECT]

comment:8 Changed 3 months ago by sheep

Looks like your apache is configured to redirect to a custom page failed_auth.html on failed auth errors, but then trying to access that file is causing another error and another redirect.

Either remove that setting, or make it redirect to some file that's not requiring auth.

comment:9 Changed 3 months ago by sheep

I think that even creating a 'failed_auth.html' on your wiki would help.

comment:10 Changed 3 months ago by rselzler

I'm definitely making some progress now, thanks to your suggestions.

I had already tried putting a failed_auth.html in the docs directory,
but it failed in a different way.
After your comments, and rereading more documentation,
I tried putting it in the hatta directory itself (docs parent),
but it failed in another way.

The error messages inspired me to try another .htaccess RewriteRule
within the hatta directory, i.e.

RewriteRule ^failed_auth.html - [L]

Bingo... things started behaving in ways that I could predict
and understand, given my limited knowledge of server things.

Next, I'll freeze this semi-working config for comparison purposes,
while I test my knowledge by replicating the configuration and
refine the displayed pages.

Many thanks again.

-Randy

comment:11 Changed 3 months ago by rselzler

seeking more guidance...

Apache Basic and Digest authentication will pop-up a login prompt,
but what would be a good way to integrate user registration?
Password updates? Password resets?

Googling shows many php based scripts, but I dread the thought
of moving up the PHP script and DB learning curve and then integrating
that with Apache, Hatta, and accumulating more dependency layers.

werkzeug seems to have some authentication modules that seem relevant,
 http://werkzeug.pocoo.org/documentation/dev/wrappers.html#werkzeug.AuthorizationMixin.authorization
Would they provide a better solution ?

  • Randy

comment:12 Changed 3 months ago by sheep

That's just for getting the http auth info from the request's headers.

I guess the simplest solution (it is used on some large wikis that I know) would be to have a single common user and password, and to provide it on the front page (or in some other prominent place). Then, if it starts being used by spam bots, change it.

As you noted, full-blown user management application is a rather big thing. I'd rather not put something like that into Hatta, especially since it would then have to be well maintained and any bug would be a potential security hole.

I'm sure there are some user-manager application out there, but I never really needed any. Actually, this very installation of trac has such an application built in. If you plan on also using Trac for your projects, you could use it and share the htpasswd file between Trac and Hatta.

comment:13 follow-up: ↓ 14 Changed 3 months ago by rselzler

The Trac approach sounds interesting.

I will eventually need a bug tracking system,
and Trac is popular, stable, functional, etc.
so that moves in the right direction.

Does a shared htpasswd file imply that account registration
and password setup under Trac would also be valid for Apache
(and hence Hatta Edit)?

Eventually I'll need https for security.
Would you foresee any conflict among Trac, Hatta, Apache ?

Given my limited knowledge, I'm guessing that an Apache
Authentication failure (failed_auth.html request) could be
rewritten to bring up a Trac page that offers registration.
Would you agree?

Would an authorized session in Hatta allow Trac access
(and visa versa), so that double logins could be avoided?

  • Randy

comment:14 in reply to: ↑ 13 Changed 3 months ago by sheep

Replying to rselzler:

The Trac approach sounds interesting.

I will eventually need a bug tracking system,
and Trac is popular, stable, functional, etc.
so that moves in the right direction.

Does a shared htpasswd file imply that account registration
and password setup under Trac would also be valid for Apache
(and hence Hatta Edit)?

Yes. Actually, Trac by default also uses Apache authentication. The part that allows user registration is a plugin which simply adds passwords to the htaccess file.

Eventually I'll need https for security.
Would you foresee any conflict among Trac, Hatta, Apache ?

No, I don't think there would be any conflicts.

Given my limited knowledge, I'm guessing that an Apache
Authentication failure (failed_auth.html request) could be
rewritten to bring up a Trac page that offers registration.
Would you agree?

Would an authorized session in Hatta allow Trac access
(and visa versa), so that double logins could be avoided?

Partially.

If you log in into Trac using the http basic auth (as with default trac setups, not how it's done on this website), then that password will be automatically re-used for Hatta, as long as the domain and AuthName are the same. This will last until the user closes the browser.

But since Trac saves the authentication information in a cookie, when the users close and reopen the browser, they may be able to use Trac without logging in (because they have the cookie), but Hatta will ask for password. Similarly, when they authenticate in Hatta, they will need to click on the "login" link in Trac (but no password prompt will come up) to have the cookie created, so that Trac sees them as logged in. This is because in Trac you usually only password-protect the login page, which sets the cookie which lets you to all other pages. That's also why Trac has a "logout" link, which deletes the cookie, while the only way to logout from Hatta is to close the browser.

comment:15 Changed 3 weeks ago by sheep

  • Status changed from new to closed
  • Resolution set to worksforme
Note: See TracTickets for help on using tickets.